Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Many practitioners feel that a system, once compromised, can never be restored to a trusted state.

15/12/2020 Client: saad24vbs Deadline: 2 Day

Principles of Incident Response and


Disaster Recovery, 2nd Edition


Chapter 7 Incident Response: Response Strategies


Objectives


• Explain what an IR reaction strategy is and list general strategies that apply to all incidents


• Define incident containment and describe how it is applied to an incident


• List some of the more common categories of incidents that may occur


• Discuss the IR reaction strategies unique to each category of incident


Principles of Incident Response and Disaster Recovery, 2nd Edition 2


Introduction


• What do we do once we have detected an incident?


• IR reaction strategies – Procedures for regaining control of systems and


restoring operations to normalcy – Are at the heart of the IR plan and the CSIRT’s


operations • How the CSIRT responds to an incident relies in


part on its mission philosophy: – Protect and forget – Apprehend and prosecute


Principles of Incident Response and Disaster Recovery, 2nd Edition 3


IR Response Strategies


• Once the CSIRT has been notified and arrives “on scene ” – First: assess the situation – Second: begin asserting control and make positive


steps to regain control over the organization’s information assets


Principles of Incident Response and Disaster Recovery, 2nd Edition 4


IR Response Strategies (cont'd.)


Principles of Incident Response and Disaster Recovery, 2nd Edition 5


Response Preparation


• Prevention strategies – Using risk assessment to make informed decisions – Acquiring and maintaining good host security – Acquiring and maintaining good network security – Implementing comprehensive malware prevention – Thorough and ongoing training to raise user


awareness


Principles of Incident Response and Disaster Recovery, 2nd Edition 6


Incident Containment


• Containment strategies – Monitoring system and network activities – Disabling access to compromised systems that are


shared with other computers – Changing passwords or disabling accounts of


compromised systems – Disabling system services, if possible


Principles of Incident Response and Disaster Recovery, 2nd Edition 7


Incident Containment


• Containment strategies (cont’d.) – Disconnecting compromised systems (or networks)


from the local network – Temporarily shutting down compromised systems – Verifying that redundant systems and data have not


been compromised


Principles of Incident Response and Disaster Recovery, 2nd Edition 8


Principles of Incident Response and Disaster Recovery, 2nd Edition 9


Incident Containment (cont'd.)


• Identifying the attacking hosts involves: – Verifying the IP address of the attacking system – Web-based research of the attacking host’s IP


address – Incident/attack database searches – Attacker back-channel and side-channel


communications


Principles of Incident Response and Disaster Recovery, 2nd Edition 10


Incident Eradication


• Many practitioners feel that a system, once compromised, can never be restored to a trusted state


• To prevent concurrent recurrence – Team must continuously monitor the assets


associated with the current incident and the remaining assets that may be susceptible to attack


– The organization’s monitoring teams should be on high alert, carefully examining communications and system activities


Principles of Incident Response and Disaster Recovery, 2nd Edition 11


Incident Recovery


• The reestablishment of the pre-incident status of all organizational systems


• Incident recovery involves: – Implementing the backup and recovery plans that


should already be in place before the attack • Difficult part of recovery


– The identification of data that may have been disclosed


Principles of Incident Response and Disaster Recovery, 2nd Edition 12


Incident Containment and Eradication Strategies for Specific Attacks


• CSIRT leader must determine appropriate response based on certain aspects of the incident – Type – Method of incursion – Current level of success – Current level of loss – Expected or projected level of loss – Target – Target’s level of classification and/or sensitivity – Any legal or regulatory impacts mandating a specific


response Principles of Incident Response and Disaster Recovery, 2nd Edition 13


Incident Containment and Eradication Strategies for Specific Attacks (cont'd.) • Containment strategy should include details about


how the organization will handle: – Theft or damage to assets – Whether to preserve evidence for potential criminal


prosecution – Service-level commitments and contract


requirements to customers – Allocation of necessary resources to activate


strategy – Graduated responses that may be necessary – Duration of containment efforts


Principles of Incident Response and Disaster Recovery, 2nd Edition 14


Handling Denial of Service (DoS) Incidents


• Denial-of-service (DoS) attack – Occurs when an attacker’s action prevents the


legitimate users of a system from using it • Distributed denial-of-service (DDoS) attack


– The use of multiple systems to simultaneously attack a single target


Principles of Incident Response and Disaster Recovery, 2nd Edition 15


Handling Denial of Service (DoS) Incidents (cont'd.)


• Tasks to be performed before the DoS incident – Coordinating with service provider – Collaborating and coordinating with professional


response agencies – Implementation of prevention technologies – Monitoring resources – Coordinating the monitoring and analysis capabilities – Setting up logging and documentation – Configuring network devices to prevent DoS


incidents


Principles of Incident Response and Disaster Recovery, 2nd Edition 16


Handling Denial of Service (DoS) Incidents (cont'd.)


• Containment strategies during the DoS incident – Try to fix the source of the problem – Change the organization’s filtering strategy – Try to filter based on the characteristics of the attack – Engage upstream partners – Eliminate or relocate the target system


Principles of Incident Response and Disaster Recovery, 2nd Edition 17


Handling Denial of Service (DoS) Incidents (cont'd.)


Principles of Incident Response and Disaster Recovery, 2nd Edition 18


Principles of Incident Response and Disaster Recovery, 2nd Edition 19


Handling Denial of Service (DoS) Incidents (cont'd.)


• After the DoS attack, the organization: – Should consider its overall philosophy of protect and


forget or apprehend and prosecute – Will want to collect evidence to see how the incident


occurred and to provide insight into how to avoid future recurrences


Principles of Incident Response and Disaster Recovery, 2nd Edition 20


Principles of Incident Response and Disaster Recovery, 2nd Edition 21


Principles of Incident Response and Disaster Recovery, 2nd Edition 22


Malware


• Designed to damage, destroy, or deny service to the target systems


• Common instances include: – Viruses and worms, Trojan horses, logic bombs,


back doors, and rootkits • Cookie


– Data kept by a Web site as a means of recording that a system has visited the site


• Tracking cookie – Collects valuable personal information, then sends it


along to the attacker Principles of Incident Response and Disaster Recovery, 2nd Edition 23


Malware (cont'd.)


• Before the malware incident : – Schedule awareness programs to inform users


about current malware issues – Keep up on vendor and IR agency postings and


bulletins – Implement appropriate IDPS – Conduct effective inventory and data organization – Implement and test data backup and recovery


programs


Principles of Incident Response and Disaster Recovery, 2nd Edition 24


Malware (cont'd.)


• To search for undetected infections during the malware incident – Scan internal systems to look for active service ports – Use updated scanning and cleanup tools promptly


and aggressively – Analyze logs from e-mail servers, firewalls, IDPSs,


and individual host log files for anomalous items – Give network and host intrusion systems access to


signature files that can indicate when certain behaviors have occurred


– Conduct periodic and ongoing audits Principles of Incident Response and Disaster Recovery, 2nd Edition 25


Principles of Incident Response and Disaster Recovery, 2nd Edition 26


Principles of Incident Response and Disaster Recovery, 2nd Edition 27


Principles of Incident Response and Disaster Recovery, 2nd Edition 28


Malware (cont'd.)


• Response strategies for malware outbreaks include: – Filtering e-mail based on subject, attachment type


using malware signatures, or other criteria – Blocking known attackers – Interrupting some services – Severing networks from the Internet or each other – Engaging the users – Disrupting service


Principles of Incident Response and Disaster Recovery, 2nd Edition 29


Malware (cont'd.)


• After the malware incident – System should be constantly monitored to prevent


re-infection – Distribute warnings that a particular malware


incident has occurred and that it was successfully handled


Principles of Incident Response and Disaster Recovery, 2nd Edition 30


Unauthorized Access


• Attempts by insiders to escalate privileges and access information and other assets for which they do not explicitly have authorization


• Some examples of UA – Gaining unauthorized administrative control of any


server or service – Gaining unauthorized access to any network or


computing resource – Defacing or unauthorized modification of any public-


facing information service


Principles of Incident Response and Disaster Recovery, 2nd Edition 31


Principles of Incident Response and Disaster Recovery, 2nd Edition 32


Unauthorized Access (cont'd.)


• Before the UA incident – Placing a common central log server in a more


highly protected area of the network will certainly assist in post-event analyses


– Implementing an effective password policy and having both a complete and usable management policy as well as technology-enforced password requirements is critical


Principles of Incident Response and Disaster Recovery, 2nd Edition 33


Principles of Incident Response and Disaster Recovery, 2nd Edition 34


Principles of Incident Response and Disaster Recovery, 2nd Edition 35


Unauthorized Access (cont'd.)


• During the UA incident – NIST recommends the following containment


strategies • Isolate • Disable • Block • Disable • Lockdown


Principles of Incident Response and Disaster Recovery, 2nd Edition 36


Principles of Incident Response and Disaster Recovery, 2nd Edition 37


Principles of Incident Response and Disaster Recovery, 2nd Edition 38


Unauthorized Access (cont'd.)


• After the UA incident – The task of identifying the avenue of attack and


closing any still-open repeat mechanisms begins – The organization must identify the extent of the


damage and look for any residual effects – The CSIRT should always presume that if a critical


information asset was accessed, the data stored within it is compromised


Principles of Incident Response and Disaster Recovery, 2nd Edition 39


Principles of Incident Response and Disaster Recovery, 2nd Edition 40


Inappropriate Use


• IU incidents – Predominantly characterized as a violation of policy


rather than an effort to abuse existing systems • The following can be considered IU incidents


– Inappropriate and/or unauthorized software or services


– Organizational resources used for personal reasons – Organizational resources used to harass coworkers – Restricted company information and other assets


stored in external sites


Principles of Incident Response and Disaster Recovery, 2nd Edition 41


Inappropriate Use (cont'd.)


• Before the IU incident – For a policy to become enforceable, it must meet the


following five criteria • Dissemination (distribution) • Review (reading) • Comprehension (understanding) • Compliance (agreement) • Uniform enforcement


Principles of Incident Response and Disaster Recovery, 2nd Edition 42


Inappropriate Use (cont'd.)


• During the IU incident – Level of authority an individual manager has


• Important thing to consider when investigating a potential IU incident


– Clear policies must be in place that discuss the level of direct investigation the CSIRT may undertake


– The organization should clearly define the circumstances under which the CSIRT and/or management may investigate the interior of a piece of organization equipment


Principles of Incident Response and Disaster Recovery, 2nd Edition 43


Principles of Incident Response and Disaster Recovery, 2nd Edition 44


Principles of Incident Response and Disaster Recovery, 2nd Edition 45


Inappropriate Use (cont'd.)


• After the IU incident – The CSIRT will typically turn copies of all


documentation over to management for administrative handling, then monitor the offending systems for possible recurrences


Principles of Incident Response and Disaster Recovery, 2nd Edition 46


Principles of Incident Response and Disaster Recovery, 2nd Edition 47


Hybrid or Multicomponent Incidents


• Many incidents begin with one type of event, then transition to another


• Timeliness is a factor in prioritizing the response • Key recommendations for handling hybrid incidents


– Use software to support incident management – Prioritize each incident component as it arises – Contain each incident, then scan for others


Principles of Incident Response and Disaster Recovery, 2nd Edition 48


Principles of Incident Response and Disaster Recovery, 2nd Edition 49


Automated IR Response Systems


• The CSIRT must document and preserve every action, file, event, and item of potential evidentiary value


• Automated IR systems to facilitate IR documentation are available through a number of vendors


Principles of Incident Response and Disaster Recovery, 2nd Edition 50


Summary


• IR reaction strategies – Plans for regaining control of systems and restoring


operations to normality in the event of an incident • Once the CSIRT is active, the first task that must


occur is an assessment of the situation • Some prevention strategies include:


– Risk assessment – Acquiring and maintaining good host security – Acquiring and maintaining good network security


• It is imperative to contain a confirmed incident Principles of Incident Response and Disaster Recovery, 2nd Edition 51


Summary (cont'd.)


• Incident recovery – The reestablishment of the pre-incident status of all


organizational systems • The selection of the appropriate reaction strategy is


an exercise in risk assessment • Denial of service (DoS)


– Occurs when an attacker’s action prevents the legitimate users of a system or network from using it


Principles of Incident Response and Disaster Recovery, 2nd Edition 52


Principles of �Incident Response and Disaster Recovery, 2nd Edition

Objectives

Introduction

IR Response Strategies

IR Response Strategies (cont'd.)

Response Preparation

Incident Containment

Incident Containment

Slide Number 9

Incident Containment (cont'd.)

Incident Eradication

Incident Recovery

Incident Containment and Eradication Strategies for Specific Attacks

Incident Containment and Eradication�Strategies for Specific Attacks (cont'd.)

Handling Denial of Service (DoS) Incidents

Handling Denial of Service (DoS) Incidents (cont'd.)

Handling Denial of Service (DoS) Incidents (cont'd.)

Handling Denial of Service (DoS) Incidents (cont'd.)

Slide Number 19

Handling Denial of Service (DoS) Incidents (cont'd.)

Slide Number 21

Slide Number 22

Malware

Malware (cont'd.)

Malware (cont'd.)

Slide Number 26

Slide Number 27

Slide Number 28

Malware (cont'd.)

Malware (cont'd.)

Unauthorized Access

Slide Number 32

Unauthorized Access (cont'd.)

Slide Number 34

Unauthorized Access (cont'd.)

Slide Number 36

Slide Number 37

Slide Number 38

Unauthorized Access (cont'd.)

Slide Number 40

Inappropriate Use

Inappropriate Use (cont'd.)

Inappropriate Use (cont'd.)

Slide Number 44

Slide Number 45

Inappropriate Use (cont'd.)

Slide Number 47

Hybrid or Multicomponent Incidents

Slide Number 49

Automated IR Response Systems

Summary

Summary (cont'd.)

Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Homework Guru
Best Coursework Help
Top Essay Tutor
University Coursework Help
Writer Writer Name Offer Chat
Homework Guru

ONLINE

Homework Guru

Hi dear, I am ready to do your homework in a reasonable price and in a timely manner.

$82 Chat With Writer
Best Coursework Help

ONLINE

Best Coursework Help

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$80 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$85 Chat With Writer
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$82 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Connected graph definition d1 - Aylesbury sexual health clinic - Primary obligor accounting - Discussion: Identify Researchable Problems - Add and subtract in scientific notation - Management representation letter template - Bill nye the science guy cells worksheet answer key - Sony mobile marketing strategy - ITCC200 - Hartley grove halls southampton - Teal accent 4 soft bevel - Fetal pig dissection assignment - The ugly american chapter summaries free - Track my maccas case study - Science lab questions and answers - How do companies expand internationally - Conveyor belt project answers - Discussion - Fresh Off the boat essay question of standards - Disaster recovery - The work in process inventory account of a manufacturing corporation - Db 15 connector sound card - Domestic and general sky protect phone number - Standardization of 0.1 m sodium hydroxide - PSYCHOLOGY 103 REFLECTION PAPER - Robin hood case analysis - Use link to answer questions - Planning developmentally appropriate activities - You are cordially invited to attend a dinner - Chem Lab, Introduction to molecules - Hybrid idps systems event correlation - +91-8890675453 vashikaran specialist IN Kulti - How does social science inquiry advance and evolve over time - Advantages of continuing education for nurses - Fan letter to idol - Church company completes these transactions - Chapter 4 conducting marketing research and forecasting demand - Level 2 mandatory units answers - General inspection of patient - Business Strategies - Journal/ final reflication - Management information system quiz questions answers - Engstrom auto mirror plant root cause analysis - Which of the following italicized words is correctly capitalized - A beggar's brother died riddle - Purdue applied behavior analysis - INTERNATIONL MOLANA{{+91-9829866507}} Love Vashikaran Specialist Molvi Ji - Human resource management and performance still searching for some answers - E24 2 post balance sheet events - The lodge yorkshire clinic - Comp10 - Benefits of hot sauce - Decreased intracranial adaptive capacity nursing care plan - Ucumberlands edu blackboard - What is the total amount of traceable fixed manufacturing overhead for each of the two products? - Week1 eco - Prescriptive authority for nurse practitioners in texas - Saudi cable low voltage catalogue pdf - Common cross stitch mistakes - Hypothesis Testing and Confidence Intervals - Need help - SOCW 6361 - Unit 40 international marketing assignment - ECO 100 DISCUSSION FEDERAL RESERVE BANK - SOAP note - Franklin purchases 40 percent of johnson company - Discussion part 8 - Analysis of an aluminum zinc alloy answers - Laerdal premier suction unit - Cisco ise wlc posture redirect acl - Gadget junkie text file for builds not formatted correctly - Mental health - Hotel on the corner of bitter and sweet cliff notes - Ford pinto case ethics - 3 heavenly bodies that were discovered using radio waves - Monster high 13 wishes - ECON Question - Uniform circular motion pre lab - Sure thing ives analysis - Ocean carriers case - Ethical egoism strengths and weaknesses - Fremantle rebels softball club - Gaia cs umass edu wireshark labs - 1123 hours in days - Vodafone in egypt case study answers - Human Resource Deliver In 10hrs - Creating Visio Data Models and Designs Using Visio - Imperial college london fees - Trace or copy the graph of the given function - International diploma in language teaching management - A polar bear starts at the north pole - Spring harvest skegness 2013 - Schmitt trigger oscillator op amp - 04.04 civil rights assessment - How does food become compromised by microbes - English - Nursing - Backslap sunscreen applicator - I need 4000 words Report the Importance of Personal Finance - Stress strain curve for mild steel and cast iron